Re: [PATCH v2 00/10] Add CA enforcement keyring restrictions

From: Eric Snowberg
Date: Mon Dec 12 2022 - 21:42:28 EST




> On Dec 12, 2022, at 2:44 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> Hi Eric, Coiby,
>
> On Fri, 2022-12-09 at 15:44 +0000, Eric Snowberg wrote:
>>> On Dec 9, 2022, at 3:26 AM, Coiby Xu <coxu@xxxxxxxxxx> wrote:
>>>
>>> Thanks for your work! The patch set looks good to me except for the
>>> requirement of an intermediate CA certificate should be vouched for by a
>>> root CA certificate before it can vouch for other certificates. What if
>>> users only want to enroll an intermediate CA certificate into the MOK?
>>
>> This question would need to be answered by the maintainers. The intermediate
>> requirement was based on my understanding of previous discussions requiring
>> there be a way to validate root of trust all the way back to the root CA.
>
> That definitely did not come from me. My requirement all along has
> been to support a single self-signed CA certificate for the end
> user/customer use case, so that they could create and load their own
> public key, signed by that CA, onto the trusted IMA/EVM keyrings.
>
>>
>>> If this requirement could be dropped, the code could be simplified and
>>> some issues could be resolved automatically,
>>
>> Agreed. I will make sure the issue below is resolved one way or the other,
>> once we have an agreement on the requirements.
>
> I totally agree with Coiby that there is no need for intermediate CA
> certificates be vouched for by a root CA certificate. In fact the
> closer the CA certificate is to the leaf code signing certificate, the
> better. As much as possible we want to limit the CA keys being loaded
> onto the machine keyring to those that are absolutely required.

Ok, I will change this in the next round. The confusion around the requirement
comes from the request to validate the cert is self-signed. The intermediate in this
case will not be self signed. As long as this check is not necessary, I will drop it from
the code and allow the intermediate to vouch for the ima key without the root being
present. Thanks for clearing this up.